Friday, August 11, 2006

I know where you've been

Update: Removed the JS PoC from the template and pasted it below. Was messing up IE.

I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the "I know where you've been" heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to websites you've been to. Don't worry, I'm not capturing this data, only you can see it, though it does prove a point. This trick probably works in Internet Explorer, though I haven't tried to port the code to find out for sure. I wonder how long until the marketers start using this for additional visitor profiling. Feel free to view-source and find the trick.

Great presentation at Blackhat. I tried porting your code to IE last night, but ran into a bug where all of the links created with the appendChild method show up blue, no matter what. I referenced the color in IE using the currentStyle property, but it returns "#0000FF" for all links (and the links show up blue on screen as well). Any thoughts?

Ironic, you must have an array to brute force through using this method. But the thing is when you create links its all in virtual space. So technically could do thousands of domains and check em all in a few seconds.

I discovered this around a year ago... Instead of fishing, I called it history "fisting", because you can force-feed someone a huge list of links and see what sticks, then pull it out. This can all be done surreptitiously and report back to the server. Using XMLHttpRequest, you can send megabytes of links (mod_gzip is your friend) over time while someone browses a page... or if they just leave the page open.

I'm sure it was discovered before me too. [Update: the above paper makes that clear...] The easy way to fix it is for a browser to not change the vlink on any OFF-site links... that way an attacker can only find out which links on the current site you've seen, which they know anyway (from reading their own web logs).

I've received several comments via the blog and email informing me that many researches have previously released a variety of similar JS/CSS history hacks. Many spanning several years back. Amazingly, most of them seem to be unknown to each other or myself. This happens often in this field when people find the same thing at the same time or find something that someone already found. I'm going through as many of the examples as I can to understand the exact mechanism they use. The implementation I have should be consider as just one more of many PoC's avaiable. The novelty of the entire presentation I did at Black Hat was a collection of many JavaScript Malware hacks, not just this one. The point is to create a big picture of what is now possible in the browser. How we can use the browser to hack intranet websites.

Hmmm, I am using firefox 2 beta 1 with no extensions and it shows nothing. That could be due to the fact that your 'exploit' only has a limited number of sites in the list. I didn't check but I have been to google and slashdot and digg to name a few popular sites.

For security purposes I started using NoScript a few month ago so that JavaScript is blocked by default unless the website is white listed or I temporarily allow JavaScript on a website. Without JavaScript the hack doesn't work. This reduces at least the chances of such attacks. But until Firefox's history is locked up it would still be a vulnerability on white-listed websites.

I'm using Firefox with TOR and Privoxy, and I appear to be immune from this. I'm guessing this has to do with the fact that Privoxy cuts out a lot of malicious code, forges referrer tags, and folds/spindles/mutilates any and all personal data before allowing access to it.

I wouldn't believe the first time I saw this, it's so simple and clever and at the same time powerful. And I see it has been discovered years ago.

I already made an IE version using also the color property, the currentStyle() method and a comparison with #0000ff does the job ;)http://www.quirksmode.org/dom/getstyles.htmlBut I can see there's already an all-browser version in this blog.

Vasco, if you have this that works in ie, I would love to see it. I have yet to find a version of this that works correctly in ie. The ones mentioned on this page do not work. I have been trying to get one to work, but just can't seem to do it.

So basically you HAVE to test if you have been on the website before knowing the "history"No way to just get the last url a person has been to (not talking about HTTP_REFERER, it needs to be linked from a webpage) ?

Gab, that is the current understanding. Without noticable browser lag, you can test for about 2-3 thousands URL's, which is fairly good coverage over popular websites. Its not perfect, but its pretty good.

It would be useful... from a PoC point of view, of course. I would certainly appreciate seeing it in the code, as I do not understand XMLHTTP at all, and don't understand how you would return something that is local to something remote.

I suspect that what did the trick for me was the fact that I disabled my disk cache and set Firefox to always delete all cookies on exit.Howeven, not even the latest sites I visited after last Firefox start were listed. I guess I got my settings just right.

I obviate the need to use CSS by simply creating a dummy anchor node and getting its (unvisited) colour.The browser's visited colour can also be obtained by setting the dummy anchor's href to document.URL.

Hyves (a dutch SN) uses subdomain.For instance, my url over there is martiendejong.hyves.nlIf I would generate a list of profile urls (or better, something like {profileurl}/manage.php) and iterate over it I think it would be possible.

I only have to find a way do this in the background for about 20M profiles.. :p

Slightly more elegant than a brute force list of specific URLs and once a basic search result has been found I dare say this could be extended further using PHP to scrape links from the target pagethus forming a feedback loop that would be actively hunting down the browser history rather than stumbling blindly.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!